diff options
author | Maciej S. Szmigiero <mail@maciej.szmigiero.name> | 2020-11-22 02:06:47 +0100 |
---|---|---|
committer | Maciej S. Szmigiero <mail@maciej.szmigiero.name> | 2022-05-22 20:45:16 +0200 |
commit | 72839de16243fb410d587e18d76d3b637fa3f389 (patch) | |
tree | 895cb2bb1364702ce171dce6e032d8d8f2cffdd5 /genkernel.conf | |
parent | arch: Copy s390 config to s390x (it's 64bit anyway!) (diff) | |
download | genkernel-72839de16243fb410d587e18d76d3b637fa3f389.tar.gz genkernel-72839de16243fb410d587e18d76d3b637fa3f389.tar.bz2 genkernel-72839de16243fb410d587e18d76d3b637fa3f389.zip |
genkernel: add keyctl support for loading LUKS passphrase into a keyring
cryptsetup LUKS2 format comes with an ability to automatically unlock
multiple devices (root, swap, etc.) sharing the same passphrase, without
retyping it for each of them, by loading it into the user keyring.
This commit adds such (optional) genkernel support for loading LUKS
passphrase into the user keyring on boot.
In the default mode of operation the newly added key is (possibly) used
only to unlock root and swap devices and is removed soon after that.
By providing appropriate kernel command line parameter the key can be left
in the keyring instead (with an optional timeout) for unlocking other LUKS
devices post-initramfs time.
Because one of the most common use cases of this functionality will be
having an encrypted swap for doing suspend to disk (hibernation) let's also
make sure that we don't unlock the root device when doing so is unnecessary
(when we are resuming the system from hibernation).
Since the security of a FDE passphrase is of paramount importance in this
solution significant care has been taken not to leak it accidentally:
* The passphrase is read directly by keyctl to avoid storing it in the
shell,
* If the passphrase is used only to unlock root and swap devices (which is
the default mode of operation) the init script will check whether its
removal from keyring has actually succeeded and, if not, reboot the system
rather than continue while leaving it exposed,
* keyutils includes a patch (already upstreamed) to wipe the passphrase
from memory when no longer needed.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Diffstat (limited to 'genkernel.conf')
-rw-r--r-- | genkernel.conf | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/genkernel.conf b/genkernel.conf index 7d104962..7045e187 100644 --- a/genkernel.conf +++ b/genkernel.conf @@ -80,6 +80,9 @@ NOCOLOR="false" # Add GnuPG support #GPG="no" +# Add keyctl support for loading LUKS passphrase into a keyring +#KEYCTL="no" + # Add in early microcode support: this sets the kernel options for early microcode loading # Possible values: empty/"no", "all", "intel", "amd" #MICROCODE="all" |